Exploit for Unprotected Alternate Channel in Crushftp

💥 CVE-2025-54309 – CrushFTP Unauthenticated Remote Command Execution Exploit PoC by Issam Junior 🚨 Vulnerability Overview CVE: CVE-2025-54309 CVSS: 9.8 (Critical) Product: CrushFTP Impact: Unauthenticated Remote Command Execution (RCE) over HTTPS CrushFTP, a popular enterprise file transfer solution, suffers from a critical vulnerability in its DMZ proxy implementation. Missing checks allow external attackers to reach the admin interface via HTTPS POST requests, bypassing authentication and directly invoking system commands. Technical Breakdown The vulnerability exists due to an incomplete validation in the DMZ proxy's handling of HTTPS requests. By crafting a malicious XML-RPC request to the /WebInterface/function/ endpoint, attackers can trigger system commands on the server without authentication. This flaw allows full server compromise, data theft, and lateral movement. Affected Versions: All CrushFTP versions prior to 10.7.0 (verify with vendor advisories for specifics). 🕵️‍♂️ Dorks for Hunting CrushFTP Servers 🔎 Shodan Dorks http.favicon.hash:427298725 "CrushFTP" http.html:"CrushFTP" product:"CrushFTP" ssl:"CrushFTP" port:443 "CrushFTP" 🦊 Ffuf/Faff Dorks (URL Discovery) /WebInterface/function/ /WebInterface/login/ /WebInterface/json/ /WebInterface/info/ /favicon.ico 🕷️ Hunter Dorks (Google, Censys, etc.) title:"CrushFTP WebInterface" "Powered by CrushFTP" inurl:/WebInterface/function/ inurl:/WebInterface/login/ ⚡ Exploit Features Multiple Payloads: xml:…Read More